- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 28 Sep 2012 10:52:54 -0400
- To: whatwg@lists.whatwg.org
On 9/28/12 7:45 AM, Anne van Kesteren wrote: > I have been looking into defining javascript URLs on top of > http://url.spec.whatwg.org/ and would like some help. You get the > JavaScript source by concatenating the path and fragment, with "#" > inbetween of course, and then removing the percent encoding (for > non-hierarchical URLs query appears to be part of the path). Then you > feed that to the JavaScript parser/interpreter. Sounds right. > What I am wondering about is why e.g. %E2%84 results in a code point > in both Gecko and Chrome and whether that is required for > compatibility (in Opera I get U+FFFD as I expected). I'm not sure I follow. javascript:alert("%E2%84".charCodeAt(0)) does the same thing for me in Gecko, Chrome, and Opera. What are you testing, exactly? > bz also described some kind of special byte-based script in > http://lists.w3.org/Archives/Public/public-whatwg-archive/2010Nov/0317.html > but it appears no other browser has that. That was for treatment of the return value, not for figuring out the string to execute, right? If you're trying to define behavior for various cases of javascript:, you should consider defining the following, to the extent that they're not already defined: 1) Whether the script executes (compare <img src> vs <iframe src>), but note that some UAs _do_ run the script for <img src>, but in a sandbox). 2) When the script evaluates (sync vs async, say). 3) The global object the script evaluates against. 4) The origin and effective script origin of the script. 5) What happens when this doesn't match the origin or effective script origin or whatever of the global object the script is evaluating against. 6) Interactions with sandboxed iframes and CSP. What happens when the parent page sets the location of a sandboxed iframe to a javascript: URI, for example? I would be slightly shocked if there is UA interop here. 7) Handling of the return value of the script. Thanks for doing this! -Boris
Received on Friday, 28 September 2012 14:53:28 UTC